Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security contact information #10

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

gregmarsden
Copy link
Collaborator

No description provided.

Add instructions for reporting security vulnerabilities
@@ -67,4 +67,6 @@ requested and approved by the OpenELA TSC on a per-individual basis.

## Contacting the OpenELA TSC

The TSC can be contacted via the email address: [[email protected]](mailto:[email protected])
The TSC can be contacted via the email address: [[email protected]](mailto:[email protected])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: missing dot at the end of the line

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'll respin this PR without modifying that line

Please report security issues to the Technical Steering Committee.
https://github.com/openela/governance/tree/main/TSC#contacting-the-openela-tsc

We encourage the use of GPG encrypted email.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine. I wonder if we could simply use the GitHub builtin vulnerability reporting instead? Would allow collaboration on issues.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would probably work assuming the TSC gets notified. The one complication is that we'd be directing folks to use a specific repository (the issues repository, which doesn't exist yet) rather than allowing issues everywhere in openela-main, and that would prevent the private-issues-reporting tool from creating forks (since it'd be a different repository).

Copy link
Member

@dirkmueller dirkmueller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Git hub renders the security file if it's all uppercase in the name, so 'SECURITY.md`. would you please rename it that way?

@gregmarsden
Copy link
Collaborator Author

I'm going to hold off on this for now. Dirk is right that native github vulnerability handling is better than emailing the TSC, however those issues should go into the not-yet-created catchall project we're going to have for filing and responding to issues, so we can pick this back up once that repository is available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants